Secure encrypted data communication system having physically secure ic cards and session key generation based on card identifying information

ABSTRACT

A secure encrypted data communication system between IC cards inserted in respective terminals. In order to encrypt plain text sent from a first terminal to a second terminal, a first IC card (51) receives a random number (r1) generated by a second IC card (52), and uses the number together with a secret key (ka) to generate a session key (ks1). The second IC card receives identification information (IDa) from the first IC card, and uses that information together with a master key (km) to obtain the secret key (ka), which is then used together with the random number to generate the same session key (ks1). Encryption of plain text sent from the second terminal to the first terminal can be done in a similar manner using a random number (r2) generated by the first IC card, and the identification information (IDb) of the second IC card.

TECHNICAL FIELD

The present invention relates to a data carrier such as an IC card whichis usable for cipher communication, and a data communication apparatususing it.

BACKGROUND ART

In order to perform cipher communication in a secret key cipher system,both parties which make communication are required to hold in common akey in advance. Hitherto, sharing of the key has been performed by asystem as shown in FIG. 11 for example. Referring to FIG. 11, numeral 41designates a coder which is used by a sending party of a message(hereinafter is simply referred to as a sending party), and 42designates a decoder which is used by a receiving party of the message(hereinafter is simply referred to as a receiving party), and the coder41 comprises a random number generating means 43, a first encipheringmeans 44 and a second enciphering means 45, and the decoder 42 comprisesa first decoding means 46 and a second decoding means 47.

Operation of the conventional common ownership system of the keycomposed like this is described hereafter. Since the key for encipheringa plain text of a message (hereinafter is simply referred to as a plaintext) m is required to be changed frequently from the aspect of safety,a random number which is generated by the random number generating means43 is used. Hereinafter, this is described as a session key. The sendingparty sends an output r1 (it is called a session key as another name) ofthe random number generating means 43 which is held in the coder 41 tothe receiving party in order to hold in common with the receiving party;but if r1 is sent as the sate of raw data it is liable to be tapped onthe communication line between the coder 41 and the decoder 42, andhence 41 is enciphered by the enciphering means 44 and is sent. The keywhich is used to encipher r1 is called as a master key km, and it is thekey which is held in common by the sensing party and receiving party inadvance. The master key is used only when the session key is sent byenciphering, and is generally fixed during a long time period. Thedecoder 42 of the receiving party decodes the enciphered random numberby the master key km and restores r1 by using the first decoding means46. Thereby, since the sending party and receiving party have held incommon the session key r1, thereafter, cipher communication of the plaintext m can be accomplished by the session key r1 by using the secondenciphering means 45 and the second decoding means 47. In the event thatthe session key is changed, a new random number r2 (not shown) isgenerated by the random number generating means 43; and in the samemanner as described above, r2 is held in common by the ciphercommunication by means of the master key km and is made to the sessionkey.

Now, the case of cipher communication between two communication partiesA and B is assumed. The communication party A and the communicationparty B encipher the session key r1 by using the master key km and send.When another communication party C holds the master key km, all ciphertext which is exchanged between the communication parties A and B can bedeciphered since the communication party C can decipher the session keyr1. Therefore, it is required that the master key km is known by onlythe communication party A and the communication party B, and in theevent that, for example, the communication party A carries out ciphercommunication with the communication party C, a master key which isother than km is used. Namely, the communication party A must hold themaster keys which are identical with the number of the parties whichcarry out the cipher communication.

In such conventional system, there is no problem in the event of a smallnumber of parties are to be communicated; but in a network havingunspecified many subscribers, communication parties to be communicatedbecome large number, and management of the key becomes a big problem. Asa means for solving it, the method in which a center for performingmanagement of the key is provided, and prior to prosecution of thecipher communication, the center delivers (or transmit) the commonsession key to both the parties, is generalized, but there is a defectthat the center must intervene in every common holding operation of thekey. On the other hand, as other solution, there is a method using thepublic key cipher system which is superior in management of the key, butthe public key cipher system entails a much longer processing time incomparison with the secret key cipher system. As mentioned above, in theconventional cipher communication method, a big problem has existed withrespect to the management of the key.

In view of such a problem, the present invention is directed to providea data carrier which is safely, easily and speedy realizable commonownership of the key, on the basis of the futures in which an internaldata is physically safety and calculation ability exist, and a datacommunication apparatus using it.

DISCLOSURE OF THE INVENTION

An in order to achieve the object, the data carrier of the presentinvention has a configuration comprising means for holding a first datawhich is impossible to be changed to data which is designated fromoutside, first enciphering means for enciphering the first data by asecret key, first decoding means for decoding a cipher text inputtedfrom outside by said first data, second decoding means for decodingenciphered second data inputted from outside by the second secret key,and a second enciphering means for enciphering a plain text which isinputted from the outside or stored inside by the output of theabove-mentioned second decoding means.

The feature of a configuration of the present invention is the pointthat the first secret key and the second secret key are stored in amemory in the IC card which is physically safe, and the point that afirst data which is automatically generated by own IC card as a decodingkey is used, and the key generated on the basis of a second data whichis sent from the party is used for an enciphering key. Reason that theabove-mentioned object is realized by this configuration can beelucidated as follows.

First, since the first secret key and the second secret key are storedin the memory in the IC card which is physically safe, these secret keyscan not be read out even by the owner of the IC card. Therefore, withoutusing the IC card which stores these secret keys, the first data andsecond data can not be restored from the output of the first encipheringmeans and the enciphered second data which are inputted from theoutside. Consequently, the cipher text which is inputted from theoutside and the cipher text which is output from the second encipheringmeans can not be deciphered.

If the second secret key is common to the whole IC cards, an evil-mindedperson can rebuild the second data in his own IC card by tapping theenciphered second data and inputting it into own IC card. However, thefunction that the IC card can performs by using the second data is onlyto encipher, and it has no decoding function. On the other hand, the keyfor decoding in this IC card is a first data which is automaticallygenerated by own IC card. Namely, the evil-mined third person can notmake setting of the decoding key and decoding using the keysimultaneously.

From the above-mentioned matter, by the configuration of the IC card ofthe present invention, the IC card which has generated the first data,namely only the IC card of the receiving party can decode the ciphertext, and the cipher communication is made safety. Furthermore, commonownership of the key is easily realized, by using the IC card of thepresent invention, since both the list of the secret key and the centerare not required. Moreover, since it can be composed of only the secretkey cipher, high speed processing is made possible.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a figure of a system configuration of a system using an ICcard of the present invention,

FIG. 2 is a block diagram showing the IC card having a key commonownership function in accordance with an embodiment of the presentinvention,

FIG. 3 and FIG. 10 are block diagrams of the IC cards which configuratea key common ownership system which is not safe,

FIG. 4, FIG. 5, FIG. 6, FIG. 8 and FIG. 9 are block diagrams showing theIC cards having the key common ownership function in accordance withother embodiment of the present invention,

FIG. 7 is a block diagram showing random number generating means inaccordance with an embodiment of the present invention,

FIG. 11 is the figure of the system configuration showing theconventional key common ownership method.

BEST MODE FOR CARRYING OUT THE INVENTION

FIG. 1 is a block diagram showing an example of a data communicationapparatus using an IC card which is used as an example of a data carrierof the present invention. Referring to FIG. 1, numeral 1 designates afirst terminal, numeral 2 designates a second terminal, numeral 3designates a first IC card having a cipher apparatus 4 in the same body,numeral 5 designates a second IC card having a decoding apparatus 6 inthe same body. Moreover, the first terminal 1 comprises an inputapparatus 7 and a transmission apparatus 8, and the second terminal 2comprises an output apparatus 9 and a reception apparatus 10.

A process for carrying out cipher communication by this system is shownhereafter. First, in starting the cipher communication, a sending partyinserts the first IC care 3 in the first terminal 1, and a receivingparty inserts the second IC card 5 in the second terminal 2. After then,the sending party inputs a plain text m by using the input apparatus 7.The plain text m is inputted into the first IC card 3, and is convertedinto a cipher text c by the enciphering apparatus 4 and is output. Thefirst terminal 1 outputs the cipher text c to the second terminal 2 byusing the transmission apparatus 8. On the other hand, the receivingparty receives the above-mentioned cipher text c by using the receptionapparatus 10. The cipher text c is inputted to the second IC card 5, andis decoded to the plain text m by the decoding apparatus 6 and isoutput. The second terminal 2 outputs the restored plain text m by usingthe output apparatus 9. A system for carrying out the ciphercommunication by using the IC card for a cipher apparatus and a decoderin this manner is considered. In carrying out an actual ciphercommunication, common ownership of the session key is required, asmentioned above. As to this, elucidation is made with reference to thedetailed figures of the IC card shown after FIG. 2. With respect to FIG.2 and thereafter, the first terminal 1 and the second terminal 2 areomitted in the drawings.

FIG. 2 is a block diagram of the IC card in accordance with anembodiment of the present invention. Referring to FIG. 2, numeral 11designates the first IC card, and numeral 12 designates the second ICcard. The first IC card 11 comprises first decoding means 13 and secondenciphering means 14. Then, the second IC card 12 comprises randomnumber generating means 15, first enciphering means 16 which is pairedwith the first decoding means 13, the second decoding means 17 which ispaired with the second enciphering means 14.

Hereafter, the present embodiment is elucidated in compliance with FIG.2. Since the second IC card 12 holds the key in common, the randomnumber r1 which is output by the random number generating means 15 isenciphered by a master key km by using the first enciphering means 16and is sent to the first IC card 11. By using the first decoding means13, the first IC card 11 decodes the enciphered random number by themaster key km and restore r1. Thereby, using this as the session key,the cipher communication of the plain text m1 can be carried out by thesecond enciphering means 14 and the second decoding means 17, since thefirst IC card 11 and the second IC card 12 hold the random number r1 incommon. Therein, master key km is a common value to whole IC cards.

The reason that the key common ownership method shown in FIG. 2 is safeis elucidated hereafter. First, since the master key km is stored in thememory in the IC card which is physically safe, the master key km cannot be read out even by the owner of the IC card. Therefore, even if theoutput of the first enciphering means 16 is tapped on the communicationline, the random number r1 can not be decoded from the output of thefirst enciphering means 16 without using the IC card in which the masterkey km is stored. Consequently, the cipher text output from the secondenciphering means 14 can not be deciphered.

Subsequently, the case in which there is three communication parties A,B, C which belong to the system are present, and the C intends todecipher the cipher text which is exchanged between the A and B isconsidered. Since the C is the communication party which belongs to thesystem, the C has the first IC card 11 or the second IC card 12. First,the assumption is made that the C has the first IC card 11. If the Ctaps the output of the first enciphering means 16 which is exchangedbetween the A and the B, and input it into the own IC card, restorationof the random number r1 in own IC card is possible by the first decodingmeans 13 and the master key km. However, the function that the IC cardcan perform by using the random number r1 is only for enciphering by thesecond enciphering means 14, and there is not decoding function. On theother hand, even if the C has the second IC card 12 having the seconddecoding means 17, the key in decoding of the IC card is the randomnumber which is automatically generated by the IC card. Namely, the Ccan not make simultaneously arbitrary setting of the decoding key anddecoding process using the key by using own IC card.

This feature becomes more clear when compared with the method of commonownership of unsafe key shown in FIG. 3. Referring to FIG. 3, numeral101 designates the first IC card, and numeral 102 designates the secondIC card. The first IC card 101 comprises a random number generatingmeans 103, a first enciphering means 104 and a second enciphering means105. The second IC card 102 comprises a first decoding means 106 whichis paired with the first enciphering means 104 and a second decodingmeans 107 which is paired with the second enciphering means 105. What isdifferent from the embodiment of FIG. 2 is that the first IC card 101for transmitting a plain text m1 generates the random number r1, andsent it to the second IC card 102. In other words, the second IC card102 performs the decoding process by using the random number r1 as a keywhich is sent from other party. In this method, the third party havingthe second IC card 102 decodes the r1 in own IC card by tapping the pairof the output of the first enciphering means 104 and the output of thesecond enciphering means 105, and input them into own IC card, anthereby the cipher text with respect to the plain text m1 can bedeciphered. As mentioned above by the method shown in FIG. 3, safecommon ownership of the key can not be realized.

From the above-mentioned fact, by the configuration of the IC card shownin FIG. 2, the IC card which has generated the random number, namelyonly the second IC card 12 of the reception party is able to decode thecipher text, and it is understood that the cipher communication is safe.Moreover, if the IC card shown in FIG. 2 is used, common ownership ofthe key is easily realizable since both the list of the secret keys andthe center are not required. Additionally, since it is composed of onlythe secret key cipher, high speed processing is possible.

FIG. 2 shows the case of a single direction communication, but in theevent that both-direction communication is carried out, theconfiguration as shown in FIG. 4 is preferable. Referring to FIG. 4,numeral 21 designates the first IC card, numeral 22 designates thesecond IC card, and numerals 13-17 are identical with those of FIG. 2,and the configuration are completely identical with FIG. 2. In order tocommunicate in inverse direction of the embodiment of FIG. 2, as otherelements, the first IC card 21 comprises a second random numbergenerating means 23, a third enciphering means 24, and a fourth decodingmeans 25. Moreover, the second IC card 22 comprises a third decodingmeans 26 which is paired with the third enciphering means 24, and athird enciphering means 27 which is paired with the fourth decodingmeans 25. The part which is composed of numerals 23-27 are symmetricalto the part which is composed of the numerals 13-17. Namely, when thesecond IC card 22 sent a plain text m2 to the first IC card 21, thefirst IC card 21 generates a random number r2 by using the second randomnumber generating means 23, and it is enciphered by the thirdenciphering means 24 and is sent. The second IC card 22 decodes r2 whichis enciphered by using the third decoding means 26 and r2 is obtained.After then, the first IC card 21 and the second IC card 22 perform thecipher communication of the plain text m2 by the fourth encipheringmeans 27 and the fourth decoding means 25 by using r2 as a session key.

Here, by using the same master key km that has been used when the randomnumber r1 is enciphered as a key for enciphering and sensing the randomnumber r2, furthermore by using the same one which is to be applied onthe same calculation to the first enciphering means 16 and the thirdenciphering means 24 (in a similar manner with respect to the decodingmeans 13 and 26 which are paired with them), and by using the same onewhich is to be applied on the same calculation to the second encipheringmeans 14 and the fourth enciphering means 27 (in a similar manner withrespect to the decoding means 17, 25 which are paired with them), thefirst IC card 21 and the second IC card 22 become the same configurationexcept for the first random number generating means 15 and the secondrandom number generating means 23. Namely, the communication partieswhich belong to the system carry out the cipher communication of bothdirections with an arbitrary communication party which belongs to thissystem by having each one IC which has the same configuration. In thiscase, the first and the second random number generating means 15, 23 arepreferable to output different random number series with respect to eachIC card, but reference to this is minutely elucidated hereinafter.

Though each IC card comprises both the decoding means (13 or 26) forrestoring the random number and the decoding means (25 or 17) forrestoring the message, in a similar manner to the embodiment of FIG. 2,deciphering of the cipher text which is directed to other person isimpossible, and safety of the cipher communication is maintained sincean arbitrary establishment of the decoded key and decoding processing byusing the key can not be carried out simultaneously by using own ICcard.

FIG. 5 is a block diagram showing other embodiment of the IC card of thepresent invention. Referring to FIG. 5, numeral 31 designates the firstIC card, numeral 32 designates the second IC card. The first IC card 31comprises a first exclusive logical sum calculation means 33, a firstenciphering means 34, a second random number generating means 35, asecond exclusive logical sum calculation means 36, and a second decodingmeans 37. And, the second IC card 32 comprises a first random numbergenerating means 38, a third exclusive logical sum calculation means 39,a first decoding means 40 which is paired with the first encipheringmeans 34, a fourth exclusive logical sum calculation means 41, and asecond enciphering means 42 which is paired with the second decodingmeans 37. Here, the first enciphering means 34 and the secondenciphering means 42 perform the same calculation (it is the similarwith respect to the decoding means 40, 37 which are paired with them).The present embodiment is identical with the embodiment of FIG. 4, andshows the case which performs bilateral communication, and the first ICcard 31 and the second IC card 32 have entirely the same configurationexcept for the random number generating means 38, 35.

Hereafter, according to FIG. 5, operation of the present embodiment iselucidated. First, the case in that the first IC card 31 sends a plaintext m1 to the second IC card 32 is elucidated. The second IC card 32sends the random number r1 which is generated by the first random numbergenerating means 38 to the first IC card 31. The first IC card 31 andthe second IC card 32 perform exclusive logical sum calculation of therandom number r1 and the master key km by using a first exclusivelogical sum calculation means 33 and the third exclusive logical sumcalculation means 39, respectively, and a session key ks1 is obtained.The master key km is common to the whole IC cards. Hereafter, the firstIC card 31 and the second IC card 32 carry out cipher communication ofthe plain text m1 by using the session key which is common to both theparties. In the case where the second IC card 32 sends a plain text m2to the first IC card 31 is also carried out in the same manner bygeneration of a random number r2 by the first IC card 31 using thesecond random number generating means 35.

Safety of the embodiment, similarly with the embodiment of FIG. 2 andFIG. 4, is assured by that arbitrary setting of the decoding by usingown IC card and the decoding processing by using the key can not becarried out simultaneously.

However, in the above-mentioned example, since the whole communicatingparties which belong to the system have the card of the sameconfiguration, pretending as other person is possible. An example of anIC card which is added with a function for certifying such other personin order to prevent this, is shown in FIG. 6. Referring to FIG. 6,numeral 51 designates the first IC card, and numeral 52 designates thesecond IC card. The first IC card 51 comprises first exclusive logicalsum calculation means 52, a first enciphering means 54, a second randomnumber generating means 55, a second key generating means 56, a secondexclusive logical sum calculation means 57 and a second decoding means58. Moreover, the second IC card 52 comprises a first random numbergenerating means 59, a first key generating means 60, a third exclusivelogical sum calculation means 61, a first encoding means 62 which ispaired with the first enciphering means 54, a fourth exclusive logicalsum calculation means 63, and a second enciphering means 64 which ispaired with the second decoding means 58. Where, the first encipheringmeans 54 and the second enciphering means 64 perform the samecalculation (the decoding means 62, 58 which are paired with them areidentically performed). Additionally, the first key generating means 60and the second key generating means 56 perform the same calculation. Ina manner similar to the embodiment of FIG. 4 and FIG. 5, though thepresent embodiment shows the case performing both directionscommunication, the first IC card 51 and the second IC card 52 have cardidentifying information (IDa, IDb) and secret keys (Ka, Kb) which aredifferent from each card, respectively.

Hereafter, operation of the present embodiment is elucidated incompliance with FIG. 6. First, the case in which the first IC card 51sends a plain text m1 to the second IC card 52 is elucidated. The secondIC card 52 sends the random number r1 which is generated by the firstrandom number generating means 59 to the first IC card 51. On the otherhand, the first IC card 51 sends own card identifying information IDa tothe second IC card 52. The second IC card 52 performs calculation byusing the card identifying information IDa which is sent from the otherparty and the master key km as parameters. Here, relation between thecard identifying information and the secret key of whole IC cards is setin each IC card at the time of publication so as to satisfy that

    Secret key=F (card identifying information, km)

F: Function of key generating means

km: a master key which is common to whole IC card.

Consequently, the result of the above-mentioned calculation is

    ka=F (IDa, km), and

thus, the secret key of the first IC card 51 is generated in the secondIC card 52. Subsequently, the first IC card 51 and the second IC card 52carry out exclusive logical sum calculation of the random number r1 andthe secret key ka by using the first exclusive logical sum calculationmeans 53 and the third exclusive logical sum calculation means 61,respectively, and the session key ks1 is obtained. After then, the firstIC card 51 and the second IC card 52 carry out cipher communication of aplain text m1 by using the session key ks1 which is common to bothparties. The case that the second IC card 52 sends a plain text m2 tothe first IC card 51 can be performed in the same manner by that thefirst IC card 51 generates the random number r2 by using the secondrandom number generating means 55 and the second IC card 52 sends owncard identifying information IDb to the second IC card 51.

Safety of the present embodiment is assured in a manner similar to theabove-mentioned embodiments, because an arbitrary setting of thedecoding key by using one's own IC card and decoding processing by usingthe key can not be simultaneously carried out. Further, in the presentembodiment, even if an evil-minded third party pretends as the owner ofthe first IC card 51 and sends IDa to the second IC card 52, a messagemaking sense can not be sent by enciphering, since only the first ICcard 51 has the secret key ka, for example, Therefore, fraud due to"pretending" can be easily seen through by a suitable protocol.

Safety of the embodiments hitherto described mainly depends on thestructure of the random number generating means. Namely, if the randomnumber which is generated by own IC card can be manipulated, or therandom number system can be predicted, the evil-mined person is capableof deciphering the tapped cipher text by using own IC card. For example,if the random number generating means has a structure bringing the inputfrom the outside into a parameter, a necessary random number can begenerated in own IC card. Moreover, if the random number system iscommon to whole IC cards, the random number which is automaticallygenerated in the inside of own IC card can be anticipated byinvestigating the random number system of an IC card. On the basis ofthis aspect, a safe random number generating means which is impossibleto be manipulated from the outside and generates a random number systemwhich is different from each IC card is shown in FIG. 7.

FIG. 7 is a block diagram of the random number generating means, andnumeral 72 designates a non-volatile memory which is capable of electricrewriting, numeral 73 designates an adder, and numeral 74 designatesenciphering means. The non-volatile memory 72 stores data of 64 bits,for example. The adder 73 adds 1 to 64 bits data which is stored in thenon-volatile memory 72, and omits the overflow part and generates the 64bits data. The 64 bits data is inputted to the enciphering means 74,simultaneously is fed back to input for the subsequent calculation bythe adder 73, and is stored in the non-volatile memory 72. Theenciphering means 74 enciphers the 64 bit data which is output from theadder 73 by the key which is peculiar to each IC card and outputs. Asthe key which is peculiar to each IC card, for example the secret keyska, Kb shown in the embodiment of FIG. 6 are usable.

Here, if the output of the adder 73 has a long period, the output valueof the enciphering means 74 becomes an enough random value. Moreover,since an output from the outside is not used at all, even the owner ofthe IC card can not manipulate the output of the random numbergenerating means. Furthermore, the key of the enciphering means 74 is apeculiar value to each IC card, and hence even if the random numbergenerating means of whole IC cards has the same configuration, theoutput random number system is different from each IC card.

FIG. 8 is a block diagram of an IC card in accordance with otherembodiment of the present invention. Referring to FIG. 8, numeral 211designates a first IC card, and numeral 212 designates a second IC card,and in order to hold a common key and the like, the first IC card 211comprises a first random number generating means 213, a firstenciphering means 214 and a second decoding means 215, and the second ICcard 212 comprises a second random number generating means 216, a firstdecoding means 217 which is paired with the first enciphering means 214,and a second enciphering means 218 which is paired with the secondencoding means 215. And, in order to send a message from the first ICcard 211, the first IC card 211 comprises a third enciphering means 219,a first register 220 and a first exclusive logical sum calculation means221. Moreover the second IC card 212 comprises a third decoding means222 which is paired with the third enciphering means 219, a secondregister 223 and a second exclusive logical sum calculation means 224.Furthermore, in order to send a message from the second IC card 212, thefirst IC card 211 comprises a fourth decoding means 225, a thirdregister 226 and a third exclusive logical sum calculation means 227.Furthermore, the second IC card 212 comprises a fourth enciphering means227 which is paired with the fourth decoding means 225 and a fourthregister 229 and a fourth exclusive logical sum calculation means 230.

Hereafter, operation of the present embodiment is elucidated, incompliance with FIG. 8. First, the first IC card 211 enciphers the firstrandom number r1 output from the first random number generating means213 by a master key km by using the first enciphering means 214 and sentto the second IC card 212. The second IC card 212 decodes the encipheredrandom number by the master key km and restores the first random numberr1 by using the first decoding means 217. Moreover, the second IC card212 enciphers the second random number r2 output from the second randomnumber generating means 216 by the master key km by using the secondenciphering means 218 and sends to the first IC card 211. The first ICcard 211 decodes the enciphered random number by the master key km andrestores the second random number r2 by using the second decoding means215. By the process as has above-mentioned, the first IC card 211 andthe second IC card 212 result in holding two common secret randomnumbers r1, r2 in common.

Subsequently, a method for sending a message from the first IC card 211to the second IC card 212 by using r1, r2 which are held in common iselucidated. In the following elucidation, a sing "+" means exclusivelogical sum calculation. First, at start of the cipher communication, asan initial state, the first random number r1 is stored in the first andsecond registers 220, 223. The first IC card 211 divides the message ofthe plain text to be sent into respective ciphering units. Plural blockswhich are obtained as mentioned above, are named as m1, m2, m3. Thethird enciphering means 219 applies a ciphering process to the headblock m1 by using the second random number r2 as a key, and as a resultc1=E3r2(m1) is output to the first exclusive logical sum calculationmeans 221. Here, E3 shows a cipher function of the third ciphering means219. The first exclusive logical sum calculation means 221 calculates anexclusive logical sum of the input c1 from the enciphering means 219 andthe data (initial value r1) in the first register 220, and sends theresult c1+r1 to the second IC card 212.

On the other hand, in the following manner, the second IC card 212restores the plain text m1 from received at a (cipher text) c1+r1. Thesecond IC card 212 calculates an exclusive logical sum of theabove-mentioned data c1+r1 which is sent and the data (initial value r1)in the second register 223, and as a result (c1+r1)+r1=c1 is output tothe third decoding means 222. The decoding means 222 applies thedecoding process to the above-mentioned data c1=E3r2(m1) which is sentby using the second random number r2 as a key, and restore the resultm1. Thereafter, the first IC card 211 stores the plain text m1 in thefirst register 220 as a replacement for the initial value r1, on the onehand, the second IC card 212 stores the restored plain text m1 in thesecond register 223 as a replacement for the initial value r1.Therefore, the first IC card 211 and the second IC card 212 hold incommon the r1 and r2, and as far as the data in communication is notvaried accidentally or with intention, the same value is always storedin the first register 220 and the second register 223. All the plaintext can be restored by repeating the above-mentioned same process ofthe head block m1 to m2, m3.

In the event that the plain text m4, m5, m6 are sent from the second ICcard 212, the cipher communication can be carried out in a similarmanner by using the fourth decoding means 226, the third register 226,the third exclusive logical sum calculation means 227, the fourthenciphering means 228, the fourth register 229 and the fourth exclusivelogical sum calculation means 230. The data value at each importantpoint in this case is shown in the following Table 1. The sing "+" inthe Table 1 shows exclusive logical sum calculation.

                  TABLE 1                                                         ______________________________________                                        The case of transmission of a message from                                    the second IC card in FIG. 8                                                  Second IC card 212                                                                            First IC card 211                                             Normal Fourth   Sending and   Third  Restored                                 sentence                                                                             register receiving data                                                                              register                                                                             sentence                                 ______________________________________                                        m4     r1       E4r2 (m4) + r1                                                                              r1     m4                                       m5     m4       E4r2 (m5) + m4                                                                              m4     m5                                       m6     m5       E4R2 (m6) + m5                                                                              m5     m6                                       ______________________________________                                    

The reason why the present embodiment is safe is elucidated hereafter.First, since the master key km is stored in the memory in the IC cardwhich is physically safe, even the owner of the IC card can not read outthe master key km. Therefore, even if the output of the firstenciphering means 214 and the output of the second enciphering means 218are tapped on the communication line, the first random number r1 and thesecond random number r2 can not be restored without using the IC card inwhich the master key km is stored. Consequently, deciphering of thecipher text is impossible.

Subsequently, a case is considered that there are three communicationparties A, B, C which belong to this system and C intends to decipherthe cipher text which is exchanged between A and B. Since C is thecommunicating party which belongs to this system, C has the first ICcard 211 or the second IC card 212. First, it is assumed that C has thesecond IC card 212, and intends to decipher the cipher text from thefirst IC card 211. In this case, even if C taps the cipher text which issent from the first IC card 211 (namely, the output of the firstexclusive logical sum calculation means 211) and inputs it to his own ICcard, the tapped cipher text can not be decoded correctly since thedecoding key of the third decoding means 222 is not the second randomnumber r2 but a random number which is automatically generated in the ICcard in that time.

Subsequently, it is assumed that C has the first IC card 211, andintends to decipher the cipher text from the second IC card 212. In thiscase, the second random number r2, namely the decoding key of the fourthdecoding means 225 can be generated in his own IC card by the seconddecoding means 215 and the master key km, by that C taps the output ofthe second enciphering means 218 which is exchanged between A and B(namely, enciphered second random number), and input ti to his own ICcard. However, in this time, the IC card of C can not correctly decodethe cipher text from the second IC card 212, since the IC cardautomatically generates a random number inside by the first randomnumber generating means 213 (this random number is r3), and bring it toan initial value of the third register 226. The state is shown in thefollowing Table 2. From Table 2, first, it is understood that the m1 isnot correctly decoded, since r1≠r3. Since m1 which is not correctlydecoded is fed back to the third register 226, successive m2 is not alsocorrectly decoded. In this way, influence of r1≠r3 is given to allsuccessive data thereto, and deciphering of the cipher text which isoutput from the second IC card 212 become completely possible.

                  TABLE 2                                                         ______________________________________                                        The case that the initial value of                                            the register differs in FIG. 8                                                Second IC card 212                                                                            First IC card 211                                             Normal Fourth   Sending and   Third  Restored                                 sentence                                                                             register receiving data                                                                              register                                                                             sentence                                 ______________________________________                                        m4     r1       E4r2 (m4) + r1                                                                              ≠r1                                                                            ≠m4                                m5     m4       E4r2 (m5) + m4                                                                              ≠m4                                                                            ≠m5                                m6     m5       E4r2 (m6) + m5                                                                              ≠m5                                                                            ≠m6                                ______________________________________                                    

The feature of the present invention is further clarified by comparisonwith the unsafe cipher communication system shown in FIG. 9. FIG. 9shows a block diagram of an IC card which performs unsafe ciphercommunication, and numeral 281 designates a first IC card, numeral 282designates a second IC card. All structural elements and theconfiguration of 213-224 are completely identical with FIG. 8, but as to225-230, the point that the second IC card 212 has a feed-back functionand the first IC card 211 has a feed-forward function, is inverted tothe case of FIG. 8.

In this configuration, the case in which the third party C having thefirst IC card 281 attempts to decipher the cipher text which is outputfrom the second IC card 282 is considered. As mentioned above, C cangenerate the second random number r2 by tapping the output of the secondenciphering means 218 and by inputting it in his own IC card. At thesame time, the IC card of C automatically generates the random number r3which is different from the first random number r1. By using r2 as thedecoding key, and by using r3 as an initial value of the third register226, the data value of each important point in the case which attemptsto decipher the cipher text from the second IC card 282 is shown in thefollowing Table 3. As is understood from the Table 3, although the headblock is just impossible to be deciphered, the influence does not affectafter then since the receiving side has no feed-back function, anddeciphering is made possible after the second block. In the system shownin FIG. 9 as this way, safe cipher communication is not realized.

                  TABLE 3                                                         ______________________________________                                        The case in which the initial value of                                        the register differs in FIG. 9                                                Second IC card 282                                                                            First IC card 281                                             Normal Fourth   Sending and   Third  Restored                                 sentence                                                                             register receiving data                                                                              register                                                                             sentence                                 ______________________________________                                        m4     r1       c4 =          ≠r1                                                                            ≠m4                                                E4r2 (m4 + r1)                                                m5     c4       c5 =          c4     m5                                                       E4r2 (m5 + c4)                                                m6     c5       c6 =          c5     m6                                                       E4r2 (m6 + c5)                                                ______________________________________                                    

As is understood from the above, by the configuration of the IC cardshown in FIG. 8, the IC card which can have both the first random numberr1 and the second random number r2, namely only the IC card of the partyconcerned which performs cipher communication is made possible todecipher the cipher text, and the cipher communication is secured. And,by using the IC card shown in FIG. 8, common ownership of the key iseasily realized since both the list of the secret keys and the centerare not necessary. Moreover, since it can be structured by only thesecret key cipher, high speed processing is realizable.

And, the first IC card 211 and the second IC card 212 becomes completelythe same configuration except for the first random number generatingmeans 213 and the second random number generating means 216, by usingone for applying the same calculation to the first enciphering means 214and the second enciphering means 218 (which is identical with respect tothe decoding means 217, 215 which are paired with them), and furthermoreby using one for applying the same calculation to the third decipheringmeans 219 and the fourth enciphering means 228 (which is identical withrespect to the decoding means 222, 225 which are paired with them).Namely, the communication parties which belong to this system can dobilateral directions cipher communication with an arbitrarycommunication party which belongs to this system by respectively havingone IC card of the same structure. In this case, the random numbergenerating means 213, 216 are preferable to output a random numbersystem which differs from each IC card.

FIG. 10 is a block diagram of the IC card with an enciphering processingfunction in accordance with other embodiment of the present invention.Referring to FIG. 10, numeral 251 designates a first IC card, numeral252 designates a second IC card; and the first IC card 251 comprises afirst random number generating means 253, a fifth exclusive logical sumcalculation means 254, a sixth exclusive logical sum calculation means225 for holding in common a key and an initial value of a register; andthe second IC card 252 comprises a second random number generating means256, a seventh exclusive logical sum calculation means 257 and a eighthexclusive logical sum calculation means 258. The structural elements219-230 for performing cipher communication of a message and theconfiguration are completely identical with the embodiment of FIG. 8.

Hereinafter, in compliance with FIG. 10, operation of the presentembodiment is elucidated. The first IC card 251 sends the first randomnumber r1 which is generated by the first random number generating means253 to the second IC card 252, in order to hold in common the key andthe initial value of the register. The first IC card 251 and the secondIC card 252 perform exclusive logical sum calculation of the randomnumber r1 and the master key km by using the fifth exclusive logical sumcalculation means 254 and the seventh exclusive logical sum calculationmeans 257, respectively, and a common key ks is obtained. In the similarmanner, a common initial value I is obtained in the registers 220, 223,226 and 229 by using the second random number generating means 256 andthe sixth exclusive logical sum calculation means 255 and the eighthexclusive logical sum calculation means 258. The method of ciphercommunication thereafter and safety of the present embodiment arecompletely identical with the embodiment of FIG. 8 and thus theelucidation is omitted.

INDUSTRIAL APPLICABILITY

As mentioned above, according to the present invention, common ownershipof a key for cipher communication is safely, easily and speedilyrealizable by storing a secret key in an IC card which is physicallysafe and generating a decoding key from a random number of which the ICcard of a reception party automatically output and generating anenciphering key from the random number which is sent from the receptionparty. Moreover, in comparison with the conventional key commonownership system using the secret key cipher, the present invention hasa very useful feature in practical use by which common ownership of thekey is realizable without requiring both the list of the secret keys anda key distribution (or translation) center. Moreover, since it isrealizable with only the secret key cipher, it is superior in the aspectof a processing speed which is required for ciphering and decoding tothe method of the conventional cipher communication using a public keycipher.

Furthermore, by making that all IC cards which are used in one systemare made by the same configuration except for a card identifyinginformation and the secrete key which are peculiar to each IC card, inthe aspect of operation, bilateral directions communication isrealizable with an arbitrary communication party which belongs to thesystem; and on the other hand in the aspect of fabrication,mass-production of the IC card is made possible, and the effect in itspractical use is very large.

We claim:
 1. A data communication apparatus having a first terminal anda second terminal, wherein:said first terminal has a) input means forinputting plaintext information;b) a first data carrier for receivingsaid plaintext information and for providing an output, said first datacarrier including enciphering means for enciphering said plaintextinformation; c) first terminal transmitting means for transmitting saidoutput of said data carrier to said second terminal as enciphered dataand for transmitting first data carrier identifying information to saidsecond terminal; and d) first terminal receiving means for receivingenciphering operation-data from said second terminal; said secondterminal has a) second terminal receiving means for receiving saidtransmitted output from said transmitting means; b) a second datacarrier for deciphering the enciphered data and for providing an output,said second data carrier including deciphering means for deciphering theenciphered data; and c) second terminal transmitting means fortransmitting enciphering operation-data to said first terminal; saiddeciphering means comprises a) means for generating said encipheringoperation-data; b) master key storage means for storing a master key; amaster key stored in said master key storage means; c) key generatingmeans for generating a deciphering secret key based on said first datacarrier identifying information transmitted to said second terminal andon said master key; d) first calculation means for generating adeciphering session key based on said deciphering secret key and saidenciphering operation-data; and e) ciphertext processing means fordeciphering said enciphered data based on said deciphering session key;and said enciphering means comprises a) first data carrier identifyinginformation storage means for storing first data carrier identifyinginformation; b) first data carrier identifying information stored insaid first data carrier identifying information storage means; c)enciphering secret key storage means for storing an enciphering secretkey; d) an enciphering secret key stored in said enciphering secret keystorage means; e) second calculation means for generating an encipheringsession key based on said enciphering operation data transmitted to saidfirst terminal and on said enciphering secret key; f) plaintextprocessing means for enciphering said plaintext information using saidsession key.